README.md

PassWeb

If you use the Internet much, you have a hundred different passwords for things like email accounts, subscriptions, banking, social media, and the like.
The best passwords are long and complex (combining letters, numbers, symbols, and punctuation) and never reused across different accounts.
With so many to remember, some people use a password manager to securely store everything behind a single, memorable master password of suitable complexity.
Password managers make it easy to use strong passwords for every account - but they also introduce a single point of failure.
Much has been said on both sides of the argument and the decision to use a password manager should be made carefully.

If you decide a password manager is right for you, there are different kinds and many options to choose from.
For my purposes, a cloud-based password manager seemed best.
Thinking about what's important to me, I wanted something:

Trustworthy

Open source

Cross-platform

Cross-device

Offline-enabled

Simple

I couldn't find a perfect match, so I wrote my own cloud-based password manager: PassWeb.
From time to time, someone asks to try it out, so I've open-sourced the implementation for anyone to evaluate, use, and improve.

Disclaimer

I've tried to ensure PassWeb is safe and secure for normal use in low-risk environments, but do not trust me.
Before using PassWeb, you should evaluate it against your unique needs, priorities, threats, and comfort level.
If you find a problem or a weakness, please let me know so I can address it - but ultimately you use PassWeb as-is and at your own risk.

FAQ

What is PassWeb?
PassWeb is a simple online/offline web application to securely manage passwords. Data is encrypted locally and stored in the cloud so it's available from anywhere. Unencrypted data never leaves the machine, so YOU are in total control.

How do I use PassWeb?
Click an entry's title to open its web site. Click the name/password field to copy (where supported) or select it for you to copy+paste. Click the padlock to generate a random, complex password for each site. Notes store additional info.

How do I create a login?
Contact the administrator with the user name you want and he/she will create a new account with a temporary password. Log in, change the master password to something only you know (and won't ever forget!), then create entries for all your accounts.

What if I'm not online?
Checking the "Cache encrypted passwords" box makes your data available offline. Changes are synchronized with the server next time you use PassWeb online. Simple updates merge seamlessly; overlapping updates should be avoided.

What if I leave PassWeb open?
It's okay: PassWeb logs you out after three minutes of inactivity to protect your data. Names and passwords unmasked for copy+paste are re-masked after ten seconds to prevent anyone nearby from reading them.

Why shouldn't I use untrusted devices?
Untrusted machines (like a library kiosk or a friend's laptop) may have malware installed that records keystrokes. Typing your master password on such a device would compromise it, allowing an attacker to use your PassWeb account.

What if I forget the master password?
Sorry, your data is irretrievably lost! PassWeb's encryption algorithm is government-grade and there aren't any backdoors or secondary passwords. It's up to you to remember the master password - and keep it secure!

What browsers can I use?
Because it's simple and standards-based, PassWeb works cross-platform on modern browsers like recent releases of Internet Explorer, Chrome, Firefox, and Safari. If you see a problem, please email me detailed steps to reproduce it.

Why is it important to use HTTPS?
HTTPS creates a secure connection that encrypts all data and makes it difficult for others to intercept. HTTPS helps verify the identity of web servers, prevents tampering with content, and will soon be supported by all major sites.

How was PassWeb developed?
The client is built using HTML, CSS, and JavaScript on top of the React, crypto-js, and lz-string libraries. The server's REST API runs on either ASP.NET or Node.js. Encryption uses 256-bit AES in CBC mode. Hashing uses SHA-512.

Configuration

The client for PassWeb is a simple HTML application and can be hosted on any web server or file server.

For offline mode to work, the offline.appcache file must be served as type text/cache-manifest and should not be cached.

The server for PassWeb is a simple REST API that stores and retrieves blobs of data.

Setting up the Node.js server requires familiarity with package management and some manual configuration.

A test suite helps ensure both implementations behave the same.

With default settings for the server, creation of new blobs is blocked to prevent unwanted users; the administrator should temporarily unblock when creating a login for a new user.

In the ASP.NET implementation, this is done by commenting-out the following line in App_Code\RemoteStorage.cs:

// Remove to allow the creation of new files
#defineBLOCK_NEW

In the Node.js implementation, this is done by changing the following variable to false in NodeJs\remotestorage.js:

// Set to block the creation of new files (set environment variable to "false" to override)BLOCK_NEW:process.env.BLOCK_NEW!=="false",

Or by setting the BLOCK_NEW environment variable to "false" before starting the server.
This makes it easy to apply a temporary override without changing the code (such as when creating a new account).

Implementation

Offline use (optional)

The encrypted data file is read from and written to both the server API and HTML local storage after every change.

When the server can't be reached (e.g., when offline), changes can be made locally.

When the server is reachable during login, local and remote changes are synchronized and both locations are updated.

Non-conflicting changes to different accounts merge seamlessly; conflicting edits to a single account are resolved by keeping the most recent entry.